Concerns about an Iranian cyber-response to the recent American military strike in Baghdad grew earlier this week with the US Department of Homeland Security urging organisations to be on heightened alert for denial-of-service and other more destructive attacks.
Israel Barak, Chief Information Security Officer at Cybereason, said: “The networks for critical infrastructure systems are at risk because they are old and fragile. While there has been a renewed focus recently on analysing the cyber capabilities of Iran, don’t think for a minute that state-sponsored Iranian threat groups aren’t constantly looking for vulnerabilities and entry into the networks of government agencies, contractors and enterprises.
“Taking down oil and gas, telecommunications, transportation and electricity networks has long been a priority for nation-states. It would be foolish to have a false sense of security today thinking that the defenders are stopping the attacks any more efficiently today than they were a few years ago.”
Cybereason makes the following prevention recommendations for protecting critical infrastructure networks:
- Increase organisational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behaviour. In particular, known Iranian indicators of compromise and tactics, techniques and procedures (TTPs).
- Operators of critical infrastructure networks need to operate a unified security operations centre (SOC) that provides visibility into both the IT and OT environments because nation-states and rogue attackers are looking to use IT environments as gateways into OT environments. A unified SOC allows security teams to see all the operations taking place as hackers try to move through the network.
- Threat hunting is critical. This activity looks for indicators that attackers are already in a company’s environment. Instead of waiting to react to an alert issued by a security tool, threat hunting allows defenders to detect a nation-state before they cause severe damage to a network.
- Confirm reporting processes. Ensure that personnel know how and when to report an incident.
- Exercise incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident.